Re: converting pcapng to pcap

[Guy Harris <guy () alum mit edu>]

On Sep 28, 2012, at 10:39 AM, Albert Lo <ALo () advancedio com> wrote:

> I would like to know where I can find the source files for editcap.
> What libpcap API's are being called to convert .pcapng to .pcap with the following cmd?
>  
> > editcap -F libpcap -T ether file.pcapng file.pcap

As Jakub noted, we don't use libpcap to read or write capture files.

However, if you convert pcap-ng to pcap with the command

        tcpdump -r file.pcapng -w file.pcap

on a system with libpcap 1.1.0 or later, the APIs used are

        pcap_open_offline(), to open the input file;

        pcap_loop(), to read the packets;

        pcap_close(), to close the input file;

        pcap_dump_open(), to open the output file;

        pcap_dump(), to write to the output file;

        pcap_dump_close(), to close the output file.

That will, of course, only work if the file can actually be converted to pcap without damaging it, i.e. if all the 
interfaces in the pcap-ng file have the same link-layer type.  If they don't, the file cannot be represented in a pcap 
file in any form that will actually give the write answer if you try to read it (so "-T ether" isn't going to fix that 
problem with editcap).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe